combating the insider threat at the fbi
play

Combating the Insider Threat at the FBI: Real World Lessons Learned - PowerPoint PPT Presentation

Sep 21, 2023 •488 likes •931 views

FEDERAL BUREAU OF INVESTIGATION Fidelity, Bravery, and Integrity Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and Introduction The views expressed in this presentation are those of the

  1. FEDERAL BUREAU OF INVESTIGATION “Fidelity, Bravery, and Integrity” Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy

  2. Disclaimer and Introduction The views expressed in this presentation are those of the presenter and do not reflect the official policy or position of the Department of Justice, the Federal Bureau of Investigation, or the U.S. Government, nor does it represent an endorsement of any kind. 2

  3. The 5 Lessons 1 Insider threats are not hackers Insider threat is not a technical or “cyber security” issue 2 alone 3 A good insider threat program should focus on deterrence, not detection 4 Avoid the data overload problem 1 Use behavioral analytics 3

  4. Our IA Program & Evolution Threat focus : Insider Threat focus : Threat focus : APT Protection: + DLP, Computer intrusion Protection: + DRM, Personnel Protection: N/W Internal N/W, host data, data object perimeter, firewalls, A/V, OS, application interaction, non-N/W IDS, proxies, A/V, logs, email, net flow data DHCP, DNS Detection Detection Detection technique: technique: + N/W technique: + data signature based anomaly mining, behavioral 4

  5. The Approach Known Bad Assumed Good vs. ► Test: 65 espionage cases and the activities of over 200 non-model employees ► Control: The rest of the user population 5

  6. Lesson #1 : The Misunderstood Threat ► NOT hackers ► People who joined organizations with no malicious intent ► Most tools and techniques are designed with the hacker in mind + VS. 6

  7. Not The “Knuckle Head” Problem ► We lose most battles 2 feet from the computer screen ► 24% of incidents, 35% of our time ► The “knuckle head” problem ► Policy violations, data loss, lost equipment, etc. ► Address with user training campaigns & positive social engineering ► 7% drop incidents since last year 7

  8. The Most Common Threat of Them All!?!? Not So Fast.. 8

  9. Joe Says... ► Insider threat is not the most numerous type of threat ► 1900+ reported incidents in the last 10 years ► ~ 19% of incidents involve malicious insider threat actors ► Insider threats are the most costly and damaging ► Average cost $412K per incident ► Average victim loss: ~$15M / year ► Multiple incidents exceed $1 Billion Sources : Ponemon Data Breach Reports: ‘08, ‘09, ‘10, ’ 11; IDC 2008; FBI / CSI Reports: ‘06, ‘07, ’08’, ‘09, ‘10/’11; Verizon Business Data Breach Reports: ‘09, ‘10, ‘11, ’12, ’ 13; CSO Magazine / CERT Survey: ‘10, ’ 11; Carnegie Mellon CERT 2011 IP Loss Report; Cisco Risk Report ‘08 9

  10. FBI Case Statistics IEA 1996 - Present ► Data from convictions under the Industrial Espionage Act (IEA) Title18 U.S.C., Section 1831 ► Average loss per case: $472M 10

  11. Solution: Define the Insider ► Authorized people using their trusted access to do unauthorized things ► Boils down to actors with some level of legitimate access , and with some level of organizational trust ► Misunderstanding example: The APT is not an insider threat because they steal credentials. 11

  12. The Threat Tree Threats Environmental Human Internal External Non- Malicious Non- malicious Malicious malicious I/T Fraud / CERT Threat Models Espionage IP Theft Sabotage abuse 12

  13. Sysadmins: Evil? Not S o Fast… 13

  14. Joe Says…  1.5% of espionage cases reviewed involved the use of system admin privileges  .8% of internal FBI incidents involved system admin cases  CMU Cert show different statistics for IT sabotage:  90% of IT saboteurs were system admins  http://www.cert.org/blogs/insider_ threat/2010/09/insider_threat_dee p_dive_it_sabotage.html 14

  15. The Intrusion Kill Chain ► The Intrusion Kill Chain is excellent for attacks, but doesn’t exactly work for insider threats Reference: Intelligence-Driven Computer Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain. E.M. Hutchings, M.J. Cloppert, et. al. 15

  16. The Insider Threat Cyber “Kill Chain” - Recruitment or - Hiding Recruitment / cohesion communications with - Going from “good” to Tipping point external parties bad - Find the data / target Operational Security - Vague searching - Less time the more Search / Recon - Asking coworkers to knowledgeable the find data for them threat - Use of crypto - Grab the data Acquisition / - Renaming file - Data hording extensions Collection - Off hour transfers - Game over! - Spreading data Exfiltration / - Egress via printing, downloads over multiple Action DVDs / CDs, USBs, sessions network transfer, emails 16

  17. Beware the Silver Bullet ► Many want you to believe insider threats are hackers in order to sell you things ► IDS, Firewalls, AV, etc. do not work ► No rules are being broken! ► Question vendor claims ► Some great capabilities, but no “out of the box” solutions ► Data loss prevention, digital rights management, and IP theft protection products are maturing Click Here to Catch Spy 17

  18. Lesson # 2: This is Not a Simple Cyber Security Problem ► We trust the threat ► Insider threat programs are not just policy compliance shops ► 90% of problems are not technical ► Programs do not just bolt into Security Operations Centers ► Dedicated staff with clear objectives are a must 18

  19. Solution: The Multidisciplinary Approach Identify: Goal: Deter CI / Intel Cyber Detect Disrupt Personnel Security Focus: People Enemy Data 19

  20. Do You Know Your People? Work schedule Serial #: 1234567 Badge# 2345 A A A A A 703-555-1212 A IP Addrs: 1.1.1.1 A A Works for Business Patterns of activity Jdoe@ic.fbi.gov Development 20

  21. The Whole Person Approach Contextual Psychosocial Cyber 21

  22. Know Your Enemy ► Who would be targeting your organization? ► Who would they target inside your organization? ► Who are the high risk individuals in your organization? 22

  23. Know Your Data ► What are the crown jewels of your organization? ► What data / people would the enemy want to target? ► Action: ► Identify sensitive data ► Rate top 5 most important systems in terms of sensitive data 23

  24. The Value Proposition of Insider Threat and Data Protection Programs It’s complex It’s expensive It may take years to achieve tangible results However… ► This is about survival in a hostile market place ► If your data is secure you can penetrate risky markets ► Your enemy is your business partner, are you designed that way? 24

  25. Lesson #3: Focus on Deterrence Not Detection ► Make environment where being an insider is not easy ► Deploy data-centric, not system-centric security ► Crowd-source security ► Use positive social engineering Risk Averse Risk Takers 25

  26. Solution: Crowdsource Security! ► Aren’t security subject matter experts the best to make decisions? ► Nope! ► British scientist who wanted to show empirically that educated people are superior ► Asked “commoners” to guess the weight of an ox at a fair ► Results: ► No single villager correct, but average < 2 lbs. off Francis Galton (1822-1911) ► No single SME correct, average SME > 6 lbs off 26

  27. Crowdsourcing Security at the FBI ► 13,900 people come to work armed everyday ► Our people are trusted to enforce the law and keep the country safe VS. If we can train them to use guns, we can train them to use data 27

  28. Solution: Positive Social Engineering Users will make good decisions given timely guidance Risk reduction with no impact to workflow, etc. 28

  29. Positive Social Engineering: RESULTS! Source: Internal FBI Computer Security Logs 29

  30. Lesson #4: The Data Overload Problem Data Growth (TB) 2500 2048 2000 1500 Data Growth 1000 500 160 50 0 10 0.5 1 6 D+1 yr D+2 yr D+3 yr D+4 yr D+5 yr D+6 yr D+7 yr Individual Audits Critical App Logs Host Monitoring N/W Monitoring 30

  31. FEDERAL BUREAU OF INVESTIGATION “Fidelity, Bravery, and Integrity” Every time Someone says “BYOD”, god kills a kitten

  32. Solution: Focus on Two Sources ► You don ’ t need everything ► HR data: ► To “know your people” ► Workplace/personnel issues ► System logs tracking data egress and ingress: ► Printing, USB, CD/DVD, etc. 32

  33. Lesson #5: Detection of Insiders = Kinda Hard ► Prediction of rare events (i.e. insider threats) may not be possible ► Don’t waste time and money on the impossible ► Look for red flag indicators as they happen 33

  34. The Insider Threat Continuum ► Most people don’t evolve into true threats ► ~5% of the 65 espionage cases came in “bad” ► There are observable “red flags” we call indicators Indicators must be observable and differentiating 34

  35. The Problem with Prediction ► A rodent out-predicted our first generation systems 35

  36. The Detection Problem: A Needle in a Stack of Needles 36

  37. Solution: Use Behavioral Detection ► Behavioral based detection ► Think more like a marketer and less like an IDS analyst ► Build a baseline based on users volume, velocity, frequency, and amount based on hourly, weekly, and monthly normal patterns ► Cyber actions that differentiate possible insiders: data exfiltration volumetric anomalies 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group July 18, 2017 Douglas D. Thomas Director, Counterintelligence Operations &amp; Corporate Investigations Lockheed Martin Counterintelligence

706 views • 16 slides
A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

#RSAC SESSION ID: HUM-R02 A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director Technical Solutions Team Lead CERT National Insider Threat Center CERT National Insider Threat Center Software

784 views • 35 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter, SHRM-SCP Novetta Inc. Vice President, Human Resources/Employee Care Ethics/Compliance Officer Insider Threat Group Member 25+ years in Human

520 views • 16 slides
Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense Group NITSIG Board Member Insider Threat Indicator Lists Everybody loves a list If we had a single and comprehensive list of THE behavioral

323 views • 9 slides
Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA International Conference on Physical Protection, 13-17 November 2017, Vienna, Austria Overview Insider threat and the role of Nuclear Security

552 views • 15 slides
Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

&lt;Your Name&gt; Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ What is an Insider

256 views • 21 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides
Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat Overview What is a Social Scientist? Why M ethods M atter The Application of Social Science Questions? 1 Social Science Perspectives and Countering Insider Threat The

294 views • 11 slides
DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

MD InfraGard Insider Threat MD InfraGard Insider Threat Special Interest Group Special Interest Group DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special Interest Group MD InfraGard Insider Threat

689 views • 49 slides
Chemical And Biological Terrorism: Combating The Evolving Threat of Terrorism Norman J. Glover,

Chemical And Biological Terrorism: Combating The Evolving Threat of Terrorism Norman J. Glover,

CLICK TO EDIT MASTER TITLE STYLE Chemical And Biological Terrorism: Combating The Evolving Threat of Terrorism Norman J. Glover, FAEI, FASCE, FIStructE Executive Director: AEGIS Institute - New York, NY Researcher-WMD: Cranfield University,

598 views • 36 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project &amp; Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers &amp; Co- author, Know Your Enemy ! Work

676 views • 52 slides
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection &amp; Automated Response Adaptive Security Strategy for SOC Ramy AlDamati Principle CyberSecurity Solution

680 views • 31 slides
How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

Insider Threat Programs: How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme Insider Threat is NOT ONLY about protecting data on your network Risk: Tolerance/Avoidance/Acceptance

799 views • 54 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
JSMVCOMFG To sternly look at JavaScript MVC and Templating Frameworks A presentation by Mario

JSMVCOMFG To sternly look at JavaScript MVC and Templating Frameworks A presentation by Mario

JSMVCOMFG To sternly look at JavaScript MVC and Templating Frameworks A presentation by Mario Heiderich mario@cure53.de || @0x6D6172696F Infosec Hobgoblin Dr.-Ing. Mario Heiderich Researcher and Post-Doc, R uhr- U ni B ochum PhD

926 views • 56 slides
Switching Hardware 10/11/06 CS/ECE 438 - UIUC, Fall 2006 1 Switch Design Chicago Bloomington

Switching Hardware 10/11/06 CS/ECE 438 - UIUC, Fall 2006 1 Switch Design Chicago Bloomington

Switching Hardware 10/11/06 CS/ECE 438 - UIUC, Fall 2006 1 Switch Design Chicago Bloomington Champaign Indianapolis Springfield Effingham St. Louis 10/11/06 CS/ECE 438 - UIUC, Fall 2006 2 Switch Design Chicago Bloomington Champaign

1.03k views • 79 slides
How to Bring Down Giants Planning and Executing Epics, the Agile Way HELLO! Stjepan Rajko

How to Bring Down Giants Planning and Executing Epics, the Agile Way HELLO! Stjepan Rajko

How to Bring Down Giants Planning and Executing Epics, the Agile Way HELLO! Stjepan Rajko stjepanr@axosoft.com @dancinghacker Refactoring Database SettingsUI Transactions NodeGit GitKraken Features Memory Submodules Management Right

536 views • 36 slides
, Ph.D. Matt Might Associate Professor Presidential Scholar University of Utah matt.might.net

, Ph.D. Matt Might Associate Professor Presidential Scholar University of Utah matt.might.net

, Ph.D. Matt Might Associate Professor Presidential Scholar University of Utah matt.might.net @mattmight Partners in Research: Parents Accelerating Rare Disease Discoveries , Ph.D. Matt Might Associate Professor Presidential Scholar

1.31k views • 109 slides
NIHD WHEN LEAN MEETS EBD Terri Zborowsky, PhD 05.18.2017 Terri Zborowsky, PhD, EDAC Nursing

NIHD WHEN LEAN MEETS EBD Terri Zborowsky, PhD 05.18.2017 Terri Zborowsky, PhD, EDAC Nursing

NIHD WHEN LEAN MEETS EBD Terri Zborowsky, PhD 05.18.2017 Terri Zborowsky, PhD, EDAC Nursing Certificate (RN) BID, MSc, PhD Interior Design Experience 20+ years (Interior Designer, Medical Planner, Medical Equipment Planner,

678 views • 47 slides
Early Twentieth-Century Fiction e20fic19.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic19.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic19.blogs.rutgers.edu Prof. Andrew Goldstone (andrew.goldstone@rutgers.edu) Office hours: Murray 019, Thursdays 11:301:30 or by appointment November 14, 2019. Hurston (2). She hated her grandmother and

320 views • 20 slides
MANITEX INTERNATIONAL, INC. (Exact Name of Registrant as Specified in Its Charter) Michigan

MANITEX INTERNATIONAL, INC. (Exact Name of Registrant as Specified in Its Charter) Michigan

UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549 FORM 8-K CURRENT REPORT Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 Date of report (Date of the earliest event reported) March 9, 2015 MANITEX

511 views • 24 slides
Assessment of Engineering Aspects S. Michael Modro Joint IAEA-ICTP Essential Knowledge Workshop

Assessment of Engineering Aspects S. Michael Modro Joint IAEA-ICTP Essential Knowledge Workshop

Assessment of Engineering Aspects S. Michael Modro Joint IAEA-ICTP Essential Knowledge Workshop on Nuclear Power Plant Design Safety- Updated IAEA safety Standards 9-20 October 2017 Trieste, Italy S.M. Modro, October 2017 1 Outline Safety

318 views • 30 slides

More recommend